In my previous article, I proposed ways that modern network-derived evidence applies to the cyber kill chain—a concept created by Eric Hutchins, Michael Cloppert, and Rohan Amin that changed how security teams approach defending their digital assets. This article focuses on an evolved, non-linear version of the kill chain called the “kill web.”
As so often happens in the security world, critics emerged from the shadows to point out what they perceived as problems with the cyber kill chain approach. One of the common concerns was that the kill chain seemed optimized for intrusions by advanced persistent threats facilitating industrial espionage via long term unauthorized access. While the authors noted that there was no “single kill chain,” this linear idea has persisted, at least in some implementations.
As early as 2016, speakers in the United States Department of Defense, specifically in the United States Navy, began publicly speaking about a “kill web” concept. In a October 2016 article by Megan Eckstein titled “Rear Adm. Mike Manazir on Weaving the Navy’s New Kill Web,” she wrote that Admiral Manazir said the following:
“[T]he Navy has many effective kill chains – a sensor that provides targeting data to a platform that can then launch a weapon against a target – in the air, ground, surface and undersea domains. The service has even made progress netting together some of these kill chains within a single domain…
Now, these kill chains need to be strung together to create a cross-domain kill web, enabling any plane or any ship to pull information from whatever sensor happens to have relevant data, regardless of domain.”
The Defense Advanced Research Agency (DARPA) published an undated article in late 2019 titled “Adapting Cross-Domain Kill-Webs (ACK)” originally by Lt Col Dan “Animal” Javorsek and now listed under Dr. Greg Kuperman.
This article notes that “ACK will assist users with selecting sensors, effectors, and support elements across military domains (space, air, land, surface, subsurface, and cyber) that span the different military Services to deliver desired effects on targets. Instead of limited, monolithic, pre-defined kill chains, these more disaggregated forces can be used to formulate adaptive “kill webs” based on all of the options available.”
Again, the focus here is on selecting sensor information and kinetic or cyber capabilities from across the joint force to deliver effects on targets. The kill web concept can be applied to digital security, in ways similar to the kill chain of a decade earlier.
A kill web for cybersecurity means being cautious of linear thinking. Intruders may pursue a single objective, but they likely have many means to accomplish their goal. For example, they may want to acquire sensitive information from a target. They could use phishing to deliver a malicious payload to an unwary victim. They could also mail malicious USB flash drives to the marketing department, pretending to be new collateral from a vendor. They could attempt to have a human operator hired as a new software developer. They could gain access to the onboarding conference call and learn how to access sensitive data as a new employee.
All of these methods circulate around the center of the kill web, which is the targeted sensitive data. By keeping these multiple adversary tactics and techniques in mind, defenders can be better prepared to defend their digital assets. Like the military, they can aspire to integrate information and capabilities from across their enterprise, whether they be internal, external, human, technical, or a combination of multiple factors.
Detecting and responding to an intruder using kill chain or kill web methodologies requires collecting and analyzing evidence of adversary activity. Corelight operates within the holistic ecosystem of third party intelligence, network evidence, infrastructure logs, and endpoint data to successfully implement a kill web-style approach to defense. By helping defenders understand how adversaries are operating on their local or cloud-based networks, Corelight enables security teams to prevent intrusions from becoming breaches.
You can learn more about Corelight’s evidence-based approach to security in our network detection and response (NDR) primer.